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Introductions - About Dirk 



Dirk Schrader 

Sales Director @ Utimaco LI MS 
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Introductions - About Utimaco 



► Founded in 1983 

► Listed on the German Stock 
Exchange 

► €59.2 million (fiscal year 07/08) 

► 300+ employees 
in offices worldwide 

► Headquarters in Germany 

► 12 subsidiaries and established 
distributor and partner network 
around 

► recently acquired by Sophos Pic 
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Introductions - About the topic 



► Anti-SPAM, 

► Antivirus, 

► Intrusion Detection/ 
Prevention Systems, 

► Deep Packet Inspection. 







You have heard about this technologies protecting your Notebook from 
the evil lurking out there in the Net. 

What do they do exactly? How to use their methods for LI? 

This session shall give an overview about the methods and the way 
they can help improving LI in a world communicating in packets. 
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Anti-SPAM - Overview 
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► Basics 

aka Email-Filtering, used in 
automated techniques. 

Some of these depend upon 
rejecting email from Internet sites 
known or likely to send spam. 
Others rely on automatically 
analyzing the content of email 
messages and weeding out those 
which resemble spam. 



► Keywords 

♦ Regular Expressions 

♦ Blocking and Filtering 

♦ Checksum-based 

♦ C/R System 

♦ Bayesian (Statistical) 
Filtering 

♦ Transparent Proxy 

♦ B/W-List (DNS-based) 
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Anti-SPAM - LI implications 
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► Filters can help, but can also be evaded, if not kept up- 
to-date 

► Mass data (in average 80% of email is SPAM) needs to 
be (pre-)handled, but can never be 100% correct 

► Different approaches targeting the same goal can 
increase accuracy 
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Anti-Virus - Overview 



► Basics 

identifies and removes SW viruses, 
or any kind of malware. Several 
methods exist to identify malware. 
Signature based detection is 
limited as it can only identify a 
limited amount of emerging threats. 
Suspicious behavior monitors the 
behavior of all programs. If one tries 
to write data to an executable 
program, the antivirus alerts. 
Sophisticated AV-SW uses 
heuristic analysis to identify new 
malware. 
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► Keywords 

♦ Metamorphic viruses 

♦ False positives 

♦ False negatives 

♦ Signature Updates 

♦ Sandbox 



Anti-Virus - LI implications 



► Signatures must be kept up-to-date, using them for LI 
purposes requires a repository to keep track. 

► False positives are likely, as well as false negatives 

► A secured environment is necessary to find information 
covered by something which poses a threat to the LI 
system. 
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IDS/IPS - Overview 



► Basics 



is SW a/o HW designed to 
detect/prevent unwanted attempts 
to manipulate a PC. 

A statistical anomaly based 
system establishes a performance 
baseline based on normal network 
traffic evaluations. 

A signature based system 
examines network traffic for 
preconfigured and predetermined 
attack patterns. 
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► Keywords 

♦ False positives 

♦ False negatives 

♦ Signature Updates 

♦ Network-based 

♦ Protocol-based 

♦ Flost-based 

♦ Content-based 
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IDS/IPS - LI implications 
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► The interception access point dominates the LI 
approach. 

► Again: False positives are likely, as well as false 
negatives 

► The problem of baselines, what is .normal 1 
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DPI - Overview 



► Basics 



DPI is a form of computer network 
packet filtering that examines the 
data and/or header part of a 
packet as it passes an inspection 
point. 

It enables advanced security 
functions as well as internet data 
mining. 

DPI combines the functionality of 
IDS, IPS and Stateful Firewalls to 
have the ability to look at Layer 2 
through Layer 7 of the OSI model. 
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Keywords 

♦ Traffic access point 

♦ Intercepting proxy 
server 

♦ Protocol-awareness 
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DPI - LI implications 
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► Layer 7 interception needs understanding of the ever 
changing world of protocols. 

► TAP at the wrong place, and you‘11 never see your 
target. 

► Layer 2 technologies like MPLS can be cumbersome 
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Summary 



► Keep track of your trigger criterias in a kind of repository 

► Keep your trigger criterias up-to-date 

► Automation never produces 100% results, but greatly 
reduces the workload for human intelligence. 

► The key is tuning the sensitivity (balancing false pos. 
against false neg.) 

► Mind your point of access to the network 

► Protocol-awareness is crucial 
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Q&A and Thank You 



Feel free to start the Q&A part 
Thank you for your kind attention! 
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Contact details 



Dirk Schrader 

Director Sales LIMS 



Utimaco Safeware AG 
Germanusstrasse 4 
DE-52080 Aachen 

dirk.schrader@aachen.utimaco.de 

Fon +49(241) 1696-226 • Fax +49(241) 1696-199 

Mobile +49(172)7556617 
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